If so many public databases are non compliant my guess is that double that number are non compliant in the private sector.  A typical area of non compliance is the sharing of data between related companies.  Another area where the law is flagrantly disregarded, certainly by small businesses, is in giving access to data from outside the EU.

The problem with Data Protection laws is the lack of adequate budgets to allow for  real and effective enforcement of the law.  However, any FSA regulated business needs to beware as the FSA imposes draconian fines.  For example in January last year it fined HFC Bank Ltd for filing to take reasonable care, among other things, to have adequate systems and controls for the sale of its insurance
and in June last year it fined Merchant Securities Group Limited for not adequately protecting its customers from the risk of identity fraud.
These are just two random fines I found by searching for Data Protection fines on the FSA’s website.
It is important that companies appreciate that even if the Information Commissioner does not impose hefty fines on them for breaches of data protection, they would suffer serious  damage to reputation if their data breaches were to be discovered and highlighted in the public domain.

The ECJ recently decided on a case that could revive an interest in database protection.  In Directmedia Publishing v. Albert-Ludwigs-Universität Freiburg there was a dispute over the CD Rom entitled “1000 Poems Everyone Should Have” the defendant a Professor at Albert-Ludwigs-Universität Freiburg led a project to compile poetry from 1720 -1933. The project led to the Frieburg Anthology which is a compilation of the most important German poetry between 1700 and 1900. Part of this project included a list of poems put on the internet entitled “The 1,100 most important poems in German literature between 1730 and 1900“ detailed the frequency in which the poem was mentioned, the title, the author, the year of publication and the opening line.

Directmedia began selling a CD Rom in 2002 entitled “1,000 poems everyone should have.” 856 of these poems had appeared in the University Project. They admitted that they used the project as a guide but omitted some of the poems and adding in others. They also obtained the poems through their own sources. The university sued Directmedia alleging that their CD Rom infringed Dr. Knoop’s copyright in the compilation and the Universities database rights. The Court of First Instance found for the University on both issues. At the appellate level the court dismissed the claim of copyright infringement and referred a question on the database right to the ECJ about what the meaning of extraction is within the Database Directive.

The ECJ ruled that within the meaning of the Database Directive extraction is not limited to the physical copying of data and that extraction can occur either electronically or manually. The court ruled:

“The transfer of material from a protected database to another database following an on screen consultation of the first database and an individual assessment of the material contained in that first database is capable of constituting an ‘extraction’, to the extent …operation amounts to the transfer of a substantial part, evaluated qualitatively or quantitatively, of the contents of the protected database, or to transfers of insubstantial parts which, by their repeated or systematic nature, would have resulted in the reconstruction of a substantial part of those contents… it is of little importance that the act of transfer in question is for the purpose of creating another database, whether in competition with the original database or not, and whether the same or a different size from the original, nor is it relevant that the act is part of an activity, whether commercial or not, other than the creation of a database …. Moreover …, the transfer of all or a substantial part of the contents of a protected database to another medium, which would be necessary for the purposes of a simple on screen display of those contents, is of itself an act of extraction that the holder of the sui generis right may make subject to his authorisation.”

This rather enigmatic ruling suggests that a database right can be infringed when someone merely looks at the contents of one database and then uses some of the contents in another database.  Following this referral to the ECJ, the case will now go back to the Federal German court to make a determination in the case.

The problem with this decision by the ECJ is that they did not define the parameters between infringement and legitimate use. The Court may need to distinguish when consulting a database is a legitimate use and when that consultation amounts to extraction in future cases.

Database Infringment?